matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-31 09:24:31 +03:00
Code Activity

Put code challenge methods in AuthorizationRequestData

Browse Source 
Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
This commit is contained in:
Kévin Commaille
2023-08-09 11:43:04 +02:00
committed by Quentin Gliech
parent dbdeea4a10
commit bbd0956f2d
3 changed files with 33 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
crates/handlers/src/upstream_oauth2/authorize.rs
View File

@ -86,17 +86,20 @@ pub(crate) async fn get(
let redirect_uri = url_builder.upstream_oauth_callback(provider.id); let redirect_uri = url_builder.upstream_oauth_callback(provider.id);
let data = AuthorizationRequestData::new( let mut data = AuthorizationRequestData::new(
provider.client_id.clone(), provider.client_id.clone(),
provider.scope.clone(), provider.scope.clone(),
redirect_uri, redirect_uri,
); );
if let Some(methods) = metadata.code_challenge_methods_supported.clone() {
data = data.with_code_challenge_methods_supported(methods);
}
// Build an authorization request for it // Build an authorization request for it
let (url, data) = mas_oidc_client::requests::authorization_code::build_authorization_url( let (url, data) = mas_oidc_client::requests::authorization_code::build_authorization_url(
metadata.authorization_endpoint().clone(), metadata.authorization_endpoint().clone(),
data, data,
metadata.code_challenge_methods_supported.as_deref(),
&mut rng, &mut rng,
)?; )?;

33
crates/oidc-client/src/requests/authorization_code.rs
View File

@ -75,6 +75,12 @@ pub struct AuthorizationRequestData {
/// It must be one of the redirect URIs provided during registration. /// It must be one of the redirect URIs provided during registration.
pub redirect_uri: Url, pub redirect_uri: Url,
/// The PKCE methods supported by the issuer.
///
/// This field should be cloned from the provider metadata. If it is not
/// set, this security measure will not be used.
pub code_challenge_methods_supported: Option<Vec<PkceCodeChallengeMethod>>,
/// How the Authorization Server should display the authentication and /// How the Authorization Server should display the authentication and
/// consent user interface pages to the End-User. /// consent user interface pages to the End-User.
pub display: Option<Display>, pub display: Option<Display>,
@ -114,6 +120,7 @@ impl AuthorizationRequestData {
client_id, client_id,
scope, scope,
redirect_uri, redirect_uri,
code_challenge_methods_supported: None,
display: None, display: None,
prompt: None, prompt: None,
max_age: None, max_age: None,
@ -124,6 +131,17 @@ impl AuthorizationRequestData {
} }
} }
/// Set the `code_challenge_methods_supported` field of this
/// `AuthorizationRequestData`.
#[must_use]
pub fn with_code_challenge_methods_supported(
mut self,
code_challenge_methods_supported: Vec<PkceCodeChallengeMethod>,
) -> Self {
self.code_challenge_methods_supported = Some(code_challenge_methods_supported);
self
}
/// Set the `display` field of this `AuthorizationRequestData`. /// Set the `display` field of this `AuthorizationRequestData`.
#[must_use] #[must_use]
pub fn with_display(mut self, display: Display) -> Self { pub fn with_display(mut self, display: Display) -> Self {
@ -203,13 +221,13 @@ struct FullAuthorizationRequest {
/// Build the authorization request. /// Build the authorization request.
fn build_authorization_request( fn build_authorization_request(
authorization_data: AuthorizationRequestData, authorization_data: AuthorizationRequestData,
code_challenge_methods_supported: Option<&[PkceCodeChallengeMethod]>,
rng: &mut impl Rng, rng: &mut impl Rng,
) -> Result<(FullAuthorizationRequest, AuthorizationValidationData), AuthorizationError> { ) -> Result<(FullAuthorizationRequest, AuthorizationValidationData), AuthorizationError> {
let AuthorizationRequestData { let AuthorizationRequestData {
client_id, client_id,
mut scope, mut scope,
redirect_uri, redirect_uri,
code_challenge_methods_supported,
display, display,
prompt, prompt,
max_age, max_age,
@ -289,9 +307,6 @@ fn build_authorization_request(
/// * `authorization_data` - The data necessary to build the authorization /// * `authorization_data` - The data necessary to build the authorization
/// request. /// request.
/// ///
/// * `code_challenge_methods_supported` - The PKCE methods supported by the
/// issuer, from its metadata.
///
/// * `rng` - A random number generator. /// * `rng` - A random number generator.
/// ///
/// # Returns /// # Returns
@ -317,7 +332,6 @@ fn build_authorization_request(
pub fn build_authorization_url( pub fn build_authorization_url(
authorization_endpoint: Url, authorization_endpoint: Url,
authorization_data: AuthorizationRequestData, authorization_data: AuthorizationRequestData,
code_challenge_methods_supported: Option<&[PkceCodeChallengeMethod]>,
rng: &mut impl Rng, rng: &mut impl Rng,
) -> Result<(Url, AuthorizationValidationData), AuthorizationError> { ) -> Result<(Url, AuthorizationValidationData), AuthorizationError> {
tracing::debug!( tracing::debug!(
@ -326,7 +340,7 @@ pub fn build_authorization_url(
); );
let (authorization_request, validation_data) = let (authorization_request, validation_data) =
build_authorization_request(authorization_data, code_challenge_methods_supported, rng)?; build_authorization_request(authorization_data, rng)?;
let authorization_query = serde_urlencoded::to_string(authorization_request)?; let authorization_query = serde_urlencoded::to_string(authorization_request)?;
@ -365,9 +379,6 @@ pub fn build_authorization_url(
/// * `authorization_data` - The data necessary to build the authorization /// * `authorization_data` - The data necessary to build the authorization
/// request. /// request.
/// ///
/// * `code_challenge_methods_supported` - The PKCE methods supported by the
/// issuer, from its metadata.
///
/// * `now` - The current time. /// * `now` - The current time.
/// ///
/// * `rng` - A random number generator. /// * `rng` - A random number generator.
@ -392,7 +403,6 @@ pub fn build_authorization_url(
/// ///
/// [Pushed Authorization Request]: https://oauth.net/2/pushed-authorization-requests/ /// [Pushed Authorization Request]: https://oauth.net/2/pushed-authorization-requests/
/// [`ClientErrorCode`]: oauth2_types::errors::ClientErrorCode /// [`ClientErrorCode`]: oauth2_types::errors::ClientErrorCode
#[allow(clippy::too_many_arguments)]
#[tracing::instrument(skip_all, fields(par_endpoint))] #[tracing::instrument(skip_all, fields(par_endpoint))]
pub async fn build_par_authorization_url( pub async fn build_par_authorization_url(
http_service: &HttpService, http_service: &HttpService,
@ -400,7 +410,6 @@ pub async fn build_par_authorization_url(
par_endpoint: &Url, par_endpoint: &Url,
authorization_endpoint: Url, authorization_endpoint: Url,
authorization_data: AuthorizationRequestData, authorization_data: AuthorizationRequestData,
code_challenge_methods_supported: Option<&[PkceCodeChallengeMethod]>,
now: DateTime<Utc>, now: DateTime<Utc>,
rng: &mut impl Rng, rng: &mut impl Rng,
) -> Result<(Url, AuthorizationValidationData), AuthorizationError> { ) -> Result<(Url, AuthorizationValidationData), AuthorizationError> {
@ -412,7 +421,7 @@ pub async fn build_par_authorization_url(
let client_id = client_credentials.client_id().to_owned(); let client_id = client_credentials.client_id().to_owned();
let (authorization_request, validation_data) = let (authorization_request, validation_data) =
build_authorization_request(authorization_data, code_challenge_methods_supported, rng)?; build_authorization_request(authorization_data, rng)?;
let par_request = http::Request::post(par_endpoint.as_str()) let par_request = http::Request::post(par_endpoint.as_str())
.header(CONTENT_TYPE, mime::APPLICATION_WWW_FORM_URLENCODED.as_ref()) .header(CONTENT_TYPE, mime::APPLICATION_WWW_FORM_URLENCODED.as_ref())

15
crates/oidc-client/tests/it/requests/authorization_code.rs
View File

@ -64,8 +64,8 @@ fn pass_authorization_url() {
CLIENT_ID.to_owned(), CLIENT_ID.to_owned(),
[ScopeToken::Openid].into_iter().collect(), [ScopeToken::Openid].into_iter().collect(),
redirect_uri, redirect_uri,
), )
Some(&[PkceCodeChallengeMethod::S256]), .with_code_challenge_methods_supported(vec![PkceCodeChallengeMethod::S256]),
&mut rng, &mut rng,
) )
.unwrap(); .unwrap();
@ -117,8 +117,7 @@ fn pass_full_authorization_url() {
.with_acr_values(["custom".to_owned()].into()); .with_acr_values(["custom".to_owned()].into());
let (url, validation_data) = let (url, validation_data) =
build_authorization_url(authorization_endpoint, authorization_data, None, &mut rng) build_authorization_url(authorization_endpoint, authorization_data, &mut rng).unwrap();
.unwrap();
assert_eq!(validation_data.state, "OrJ8xbWovSpJUTKz"); assert_eq!(validation_data.state, "OrJ8xbWovSpJUTKz");
assert_eq!(validation_data.code_challenge_verifier, None); assert_eq!(validation_data.code_challenge_verifier, None);
@ -190,8 +189,8 @@ async fn pass_pushed_authorization_request() {
CLIENT_ID.to_owned(), CLIENT_ID.to_owned(),
[ScopeToken::Openid].into_iter().collect(), [ScopeToken::Openid].into_iter().collect(),
redirect_uri, redirect_uri,
), )
Some(&[PkceCodeChallengeMethod::S256]), .with_code_challenge_methods_supported(vec![PkceCodeChallengeMethod::S256]),
now(), now(),
&mut rng, &mut rng,
) )
@ -241,8 +240,8 @@ async fn fail_pushed_authorization_request_404() {
CLIENT_ID.to_owned(), CLIENT_ID.to_owned(),
[ScopeToken::Openid].into_iter().collect(), [ScopeToken::Openid].into_iter().collect(),
redirect_uri, redirect_uri,
), )
Some(&[PkceCodeChallengeMethod::S256]), .with_code_challenge_methods_supported(vec![PkceCodeChallengeMethod::S256]),
now(), now(),
&mut rng, &mut rng,
) )